Forwarding Packet to Another Public IP

Hello guys, so i have 2 sites it's Site A & B. We have server farm in site B that used to be in site A and the we're migrated and that's so happened. So my boss wanted not stop this site A but instead he wanted still using it because our client white listing our ip pub in site A. So i have to configure every packet that hit site A will be forwarded to site B in doing so, i tried built tunnel between the sites using DMVPN so the server from B can be access from Site A. And after i config that i can ping the server that in site B but when i NAT the traffic to that server it failed, not works. I try to solve this very hard but if someone can really help i would be appreciate it. Thank you

Re: Forwarding Packet to Another Public IP

We need more information.How did you set up your NAT? What does routing look like. Ie at site B towards client.One possible point of failure I can see is if you do DNAT at Site A for customer traffic servers on site B might route return traffic to clients directly instead of going via site A.So you would have to do both DNAT and SNAT to make sure that traffic goes via site A both ways.

Re: Forwarding Packet to Another Public IP

We also need information about the addressing used. What is the public IP of sites A and B? What is the LAN subnet(s) of site A and B? What is the IP addresses of the servers that are now at site B? Did that subnet move from site A to site B or is part of that subnet still at site A?

Re: Forwarding Packet to Another Public IP

Unfortunately I can't really give you a guide to follow, because exact implementation would depend on what product you are using, and not knowing the exact setup.

Also it was quite some time since I did anything remotely similar, so I'm a bit rusty regarding this, perhaps someone else that has more recent working experience can chime in if I'm way off here.

The problem as I see this is that when you use NAT (I'm assuming you set up destination nat) at site A to redirect traffic to servers on site B that only affects traffic going from client to servers. If the return traffic does not get routed back symmetrically through site A on it's way back to the client it will not work.

I can think of 2 possible ways to work around this.

One is to use SNAT (source nat) to make it look like the client is located at site A.

The second alternative is to use policy based routing to get the return traffic to go through site A.

Both should work, but without being able to try it out in a lab/test environment it's just what comes to mind.

In the end it's a bit hard to give truly reliable advice here with extremely limited information and knowledge about the environment.

Re: Forwarding Packet to Another Public IP

Ok so on site A i'm using cisco 881m series and on site B i'm using cisco 4321.

On site A there is no server or anything just router connect to isp

On site B im doing ip sla pbr because it's using 2 isp and for lan there're plenty server farm so im using subinterface

Because i want to redirect traffic from site A to B so i configured eigrp on both site and connect them with dmvpn, so there will be route to server B from A and then i just configured nat inside static from A but that's problem start.

The problem is when i ssh or telnet from site A to server in site B it works but it'll not work with nat, im confused.

Re: Forwarding Packet to Another Public IP

im a bit confused about your ip arrangement, so i should configure this in R2 right? that has no server in it.and in your acl is that lan address of R1?and in nat pool is it wan address of R2?thanks sir

Re: Forwarding Packet to Another Public IP

Yes, the commands I suggested should be implemented on R2 in this case. (The router without the servers.)

The addresses in my acl are supposed to be the public IP that the customers are using to connect to you.

If this doesn't work as intended you could try an extended acl instead with any as source (unless you know what IPs the customer are coming from) and the public "server" IPs as destination.

The NAT pool can be just about any IP that will look like it's located at the R2 site.

In this case using private addresses are fine.

The NAT command should add the routes to your IGP (EIGRP?) so that R1 knows how to reach them.

Or you can add the network manually with an add route command.

What we are trying to do is to change the source address of the customer/clients connections to look like they are coming from the R2 site. So if you have public IPs that you can use that would also work, but in this case the translated addresses should only be seen by your network which is why using private IPs works just fine.

This will make sure that the return traffic from the R1 site goes via R2 on its way back to the customer.

We are having issues with a WS-C2960X-48FPD-L running IOS 15.2(2)E7. Some ports are simply not working. We had POE issues on some of the ports and decided to upgrade to hopefully resolve those issues but this has now become an even bigger issu...
view more

the scenario is :I'm replacing core Cisco switch 4506-E with switch 4507R-E. As I have one supervisor card on 4506-E and I'm going to take out all the card that I have in 4506-E and install it in the new 4507R-E. On the 4507R-E I have 2 slots for the supe...
view more

Since its release in August of 2019, the SASE report released by Gartner has generated a lot of chatter regarding what SASE is all about. People are wondering whether it will be disruptive to the current network and network security designs and are curiou...
view more

I tried to setup a virtual environment with 2960 switches and 2911 Router. In one part of the network where I connected PCs directly to the 2911 Router, I was able to communicate to the attached devices, having configured static route. In the th...
view more